Yahoo came up with a (quite frankly) moronic plan, telling users that if they hadn’t logged into their Yahoo account in the last 12 months, and didn’t log in by July 15th 2013, the company was going to give other people the chance to grab the account.
I and other commentators thought the idea was terribly stupid from the security point of view for a variety of reasons.
Not unexpectedly, Yahoo’s PR team has gone into overdrive as it saw the negative reaction caused by its announcement.
Let’s take a close look at what they’ve said in their PR statement, sentence by sentence:
Our goal with reclaiming inactive Yahoo! IDs is to free-up desirable namespace for our users.
We’re committed and confident in our ability to do this in a way that’s safe, secure and protects our users’ data.
It’s important to note that the vast majority of these inactive Yahoo! IDs don’t have a mailbox associated with them.
Any personal data and private content associated with these accounts will be deleted and will not be accessible to the new account holder.
I mean, it’s good that you won’t allow the new account holder to read any past emails that the account has received, but it seems that they *will* be able to receive any *future* email the account receives. And that’s quite a problem.
To ensure that these accounts are recycled safely and securely, we’re doing several things. We will have a 30-day period between deactivation and before we recycle these IDs for new users. During this time, we’ll send bounce back emails alerting senders that the deactivated account no longer exists.
In fact, what you have done by bouncing a message back is told the sender that the email address is potentially available for grabbing – a nice tip-off for an identity thief, and no good at all to the account’s true owner.
We will also unsubscribe these accounts from commercial emails such as newsletters and email alerts, among others.
Wouldn’t it have been better if Yahoo had just left the accounts alone in the first place?
Upon deactivation, we will send notification for these potentially recycled accounts to merchants, e-commerce sites, financial institutions, social networks, email providers and other online properties.
I’d like to see Yahoo provide a list of all the sites they plan to contact with this list of email addresses that are potentially up for grabs.
I imagine that’s quite a long list of websites that could have had accounts created on them. After all, Yahoo wouldn’t forget to include any sites would it… I mean, it’s a search engine so it probably has a grasp on how many websites there are out there, right?
And, umm, isn’t there some slight risks in contacting – lets say, x million – websites with a long list of Yahoo IDs and email addresses that are being deactivated and available for anyone to claim? Heaven knows how the websites themselves are supposed to respond.
To be clear – I don’t have a problem if Yahoo wants to close unused accounts if they haven’t been used for – say – 12 months, so long as they have clearly communicated that to the user at sign-up as one of the conditions. After all, that could be a big incentive to buy a professional account with an extra “no closure” guarantee.
But I *do* think it’s idiotic to then allow a complete stranger to grab the email address – and potentially see future emails that were meant only to be seen the original owner.
Admit it Yahoo. This whole idea of yours is half-baked, and sounds utterly impossible to pull off competently.
You should throw your plan away in the trash can where it belongs.